Finding the Devil Inside: The Psychology of the Insider Threat

A story about hackers utilizing complicated exploits to infiltrate a computer network is sure to generate headlines. But sometimes it’s the devil you know that can do the most damage.

Identifying a potential malicious insider before he or she is able to walk away with intellectual property can be the difference between a good night’s sleep and several weeks’ worth of public relations fallout. According to psychologists Dr. Eric Shaw and Harley Stock, there are warning signs organizations can heed if they know what to look for.

In a new report commissioned by Symantec, “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall,” Shaw and Stock analyzed insider breaches to get a sense of not only how insiders steal data, but who does it and why. Among their findings:

• Roughly 65% of insiders who steal intellectual property had already accepted positions with a competing company - or started their own - at the time of the theft.

• People typically steal information they are authorized to access. According to their data, 75% of insiders stole material they were authorized to see.

• The average insider IP theft is committed by a male employee about 37 years old who serves in a technical position such as an engineer, scientist or programmer. In addition, the majority of IP thieves had signed IP agreements, indicating that policies alone are often ineffective.

• IP theft by insiders is often precipitated by professional setbacks. With many IP thieves, there is a sense of disgruntlement with the organization.

Organizations need to take a multi-disciplinary approach to dealing with insider threats that involves creating a team that includes not only IT security, but human resources and physical security as well, Shaw said. Silos in an organization can make it difficult to understand whether or not they are at risk, he added.

“I ran into a common problem at a large defense contractor where we did an insider risk audit,” he explained. “We discovered that HR had scheduled mass lay-offs but IT security was unaware of these exits from the firm on a particular day. So what the company faced was hundreds of disgruntled workers leaving a high-tech manufacturing facility who retained remote access to the firm's network. This could be a nightmare scenario for IT theft. Only communication between the groups can head-off such challenges.”

In addition, there can be signs an employee is exhibiting troublesome behavior that may be invisible to IT. For example, conflict with supervisors, misreporting of expenses or a disagreement with the company over the ownership of IP, Shaw said.

Still, Shaw and Stock note in their report that being disgruntled does not always translate into theft.

“We do not yet have controlled research on observable differences between employees with intentions versus volition and action,” they wrote. “However, employees who go on to commit IP theft appear to display a propensity for action through concerning behaviors in the work environment…concerning behaviors include violations of policy or practice, manifestations of disgruntlement or signs of theft preparation that are potentially visible to others in the work environment.”

Dawn Cappelli is technical manager of CERT’s Insider Threat Center program and Vulnerability Management team at Carnegie Mellon University, and no stranger to the topic of insider threats. According to Cappelli, most malicious insiders set up their attack before termination and carry it out after leaving, typically within 30 days of resignation. This is particularly true for those after IP, she said, while those who steal personally identifiable information or credit card data tend to steal small amounts and try to lay low.

“They do not want to get caught - they want to lie low so they can continue to carry out their crime over a long period of time,” she said.

Strong pre-employment screening – such as criminal background checks and the contacting of references - and training for employees about an organization’s security policies are also important, Stock and Shaw wrote in their report.

Even though many IP thieves steal data they already have access to, there remains a role for technology to play in all this as well. According to Tim Matthews, senior director of product marketing at Symantec, data loss prevention (DLP) technology can help when it comes to pinpointing malicious behavior.

“One thing we've noticed on the technology side is that people think data loss prevention technology only spots individual pieces of sensitive data, but what they don't understand is that DLP can also identify behaviors that differ from an individual user's norm such as a dramatic increase in the frequency of copying or downloading data,” he said. “This can serve as an indicator of a potential insider issue, but it needs to be evaluated in context with other concerning behaviors and personal predispositions that IT can't spot."